Overview#
Global Catalog in
Microsoft Active Directory is is a
Distributed system Data Store Service where only the
Partial Attribute Set Replicated to specific Global Catalog
Domain Controllers.
Global Catalog is primarily used for as a Discovery Mechanism and to enhance searching. Global Catalog provides a searchable catalog of all objects in every AD DOMAIN in an AD Forest.
Global Catalog Servers#
A Global Catalog server is a
Domain Controller that stores Global Catalog information; its
database stores rows for every object in the
AD Forest instead of rows for only the objects in one
AD DOMAIN.
The rows that store objects that occur in AD DOMAIN directory partitions other than the local domain partition hold only a subset of attributes for each object. In this way, the Global Catalog enables forest-wide searches without requiring replication of the entire contents of Active Directory to every Domain Controller.
The Knowledge Consistency Checker (KCC) process creates a replication topology that ensures delivery of the contents of every Microsoft Active Directory partition to every Global Catalog server in the AD Forest.
Characteristics of Global Catalog#
- Global Catalogs are also Domain Controllers
- Global Catalog servers stores information about all objects of all domains of the entire forest.
- Global Catalog servers do Not the complete set of attributes for these objects are stored.
- Global Catalog servers replicate the data with all other Global Catalogs in the forest.
- Global Catalog function increases replication load on the regarding server.
- Global Catalog access over LDAP is done as a normal LDAP connection over TCP port 3268 (or 3269 for LDAP over SSL).
- Global Catalog requests are Read Only.
- Global Catalog Domain Controller have a DNS SRV Record is created in DNS.
By default, the server on which you install Active Directory to create the first domain in a new forest is a Global Catalog server. Thereafter, you must designate additional Global Catalog servers, if they are needed.
Searches That Use the Global Catalog by Default#
Any time that you specify port 3268, you are searching in the Global Catalog.
In addition, the Global Catalog is searched by default under the following conditions:
- During the logon process when a user principal name is presented. The Global Catalog is searched to find the domain and account name on the basis of the user principal name.
- During the logon process to expand Universal Groups as Universal Group membership can span domains.
- When you choose Entire Directory in a search-scope list.????
- When you write the value for a distinguished name-valued property, where the distinguished name represents a nonlocal object. For example, if the member that you are adding is from a different domain, the Global Catalog is used to verify that the user object represented by the distinguished name actually exists.
In an
Microsoft Active Directory environment, all Global Catalog are anchored in DNS. The
DNS SRV Records 'GC._msdcs.example.com' So if your root domain in the forest is e.g. example.com, then you get a list of all GCs with this command:
nslookup -type=any gc._msdcs.example.com
Will return all the Domain Controllers that are Global Catalog
You can also use dsquery
Will return the
distinguished Names of all the
Domain Controllers that are Global Catalog for the current domain.
And using an Search Request LDAP SearchFilters
(&(objectClass=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))
Not all
Active Directory Groups and their
members are available within the Global Catalog.
There might be more information for this subject on one of the following: